Hacking the computer interface of a Ford Focus Mk2

You can do some neat stuff to the way your Ford Focus Mk2 works, but first you have to gain access to the data system. If you know some Russian, and don’t mind a bit of dongle rewiring, this guide will have you hacking the car’s CAN bus in no time. It was written by [Preee] and he has already added Radio RDS and CD Track information to the speedometer display panel, implemented hands free control for his cellphone, disabled the sounds the car makes when he goes into reverse, changed the door locking speed from 5mph to 10mph, and much more.

To gain access to the system you need hardware to bridge from a computer to the CAN bus. He hit eBay and bought an ELM327 cable which plugs into the On-Board Diagnostics port (ODBII). There are two different ways these dongles can be configured and since this isn’t the right one for the Focus he had to alter it. His hardware changes are illustrated in the second post of the forum thread. Instead of just switching over to the other configuration, he wired up a toggle switch to select between the two.

With hardware in place he grabbed some software and started hacking away. But as we hinted above, it’s not as simple as you might think. The software is in Russian. [Preee] did his best to add translations to a few screenshots, but it’s still going to be a bit of a bother trying to find your way around the GUI.

[Thanks Fred]

Tinkering with ODB II and the CAN bus

[Debrah] is taking his next project out to the garage. He built his own CAN bus reader using a dsPIC.

The nice thing about working with Control Area Network is that it’s a universal standard found on every modern production line automobile. And because of this, the chip you need in order to communicate using that protocol will cost just over a dollar. [Debraj] chose the MCP2551, which comes in several different 8-pin packages. There is even an application note tailored for use with the dsPIC33F family.

The project is running on both 5V and 3.3V rails. This complicates things just a bit, but a level converter makes sure that there’s no communications problems between the chips. A four line character LCD acts as the output during the tests (you can see this in the clip after the break) but he’s already got a second version which looks quite a bit better on the dashboard.

What else can be done with this hack? Well, we’ve seen a method used to read control buttons from the steering wheel before. It all depends on what data your vehicle is transmitting and one way to find that out is to build some hardware and start logging the packets. Continue reading “Tinkering with ODB II and the CAN bus”

CAN bus for home automation

Here’s one node on the new home automation system on which [Black Rynius] is working. So far he’s testing out the system with just two nodes, but plans to build more as the project progresses. He’s chosen to use the CAN bus for communications; a protocol which is most commonly found in automotive applications.

The biggest plus about using the CAN bus is that it requires just one pair of wires for communications. As you can see, there’s an old doorbell included on this board and he’s hoping to use the existing doorbell wire to connect between nodes. Each unit includes a PIC 18F4580 which has a CAN engine built into it for easy protocol translation. There is also an MCP2551 which handles the transmissions. You can read a bit more about the hardware choices in his breadboarding post.

So far almost everything is working as planned. He’s able to send and receive data between the two boards including temperature from a sensor and time from a DS1305 RTC chip. The one thing that vexes him is that doorbell. It draws too much current for the wall wart that’s powering the board, browning out the microcontroller and causing a reset. That’s not a hard fix and we look forward to more developments in the near future.

[via Dangerous Prototypes]

Enhance your key fob via CAN bus hacking

[Igor] drives a 4th generation Volkswagen Golf, and decided he wanted to play around with the CAN bus for a bit. Knowing that the comfort bus is the most accessible and the safest to toy with, he started poking around to see what he could see (Google translation).

He pulled the trim off one of the rear doors and hooked into the comfort bus with an Arudino and a CAN interface module. He sniffed the bus’ traffic for a bit, then decided he would add some functionality to the car that it was sorely lacking. The car’s windows can all be rolled down by turning the key in any lock for more than a few seconds, however this cannot be done remotely. The functionality can be added via 3rd party modules or through manipulating the car’s programming with some prepackaged software, but [Igor] wanted to give it a go himself.

He programmed the Arduino to listen for longer than normal button presses coming from the remote. Once it detects that he is trying to roll the windows up or down, the Arduino issues the proper window control commands to the bus, and his wish is the car’s command.

It’s a pretty simple process, but then again he has just gotten started. We look forward to seeing what else [Igor] is able to pull off in the future.  In the meantime, continue reading to see a quick video of his handiwork.

If you are interested in seeing what you might be able to do with your own car, check out this CAN  bus sniffer we featured a while back.

Continue reading “Enhance your key fob via CAN bus hacking”

Modern car data systems lack security

Tomorrow a team of researchers will present their paper on Experimental Security Analysis of a Modern Automobile (PDF) at the IEEE Symposium on Security & Privacy. Much like the racing simulators we’ve seen they’re exploiting the ODB-II port to get at the vehicle’s Controller-area network, or CAN-bus. We’re not surprised at all that they can display custom text on the dashboard display or read sensor data from the car. What does surprise us is their exposé on how truly unsecured the system is. It seems that access to any device on the CAN-bus gives them unobstructed control of the car’s systems. Any device can send commands to any other device. They’ve even found a way to write malicious code to the car’s computer which can be programmed to erase itself in the event of a crash.

Much like RFID the security risks here are basically nill for the vast majority of consumers. We just find it a bit surprising that there’s apparently been little thought put into fortifying the communications between the safety systems such as the brakes on the vehicle. For instance, team experimented with sending random packets over the CAN-bus and stumbled across a way to lock the brake on just one wheel. To us it’s conceivable that a malfunctioning device on the network could start sending out damaged packets and cause a dangerous malfunction like this one.

The 14-page PDF linked above is a page-turner, check it out on your hacked ereader during lunch.